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We initiate the study of multi-source extractors in the quantum world. In this setting, our goal is 

to extract random bits from two independent weak random sources, on which two quantum adversaries 

store a bounded amount of information. Our main result is a two-source extractor secure against quantum 

adversaries, with parameters closely matching the classical case and tight in several instances. More- 

' (— I , over, the extractor is secure even if the adversaries share entanglement. The construction is the Chor- 

Q^' Goldreich IICG88I two-source inner product extractor and its multi-bit variant by Dodis et al. IIDEOR04II . 

Previously, research in this area focused on the construction of seeded extractors secure against quantum 

C ' adversaries; the multi-source setting poses new challenges, among which is the presence of entanglement 

2 . that could potentially break the independence of the sources. 
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1 Introduction and Results 

Randomness extractors are fundamental in many areas of computer science, with numerous applications to 
derandomization, error-correcting codes, expanders, combinatorics and cryptography, to name just a few. 
Randomness extractors generate almost uniform randomness from imperfect sources, as they appear either 
in nature, or in various applications. Typically, the imperfect source is modelled as a distribution over n-bit 
strings whose min-entropy is at least k, i.e., a distribution in which no string occurs with probability greater 
than 2^^ IISV841 ICG881 |Zuc90ll . Such sources are known as weak sources. One way to arrive at a weak 
source is to imagine that an adversary (or some process in nature), when in contact with a uniform source, 
stores n — k bits of information about the string (which are later used to break the security of the extractor, 
i.e. to distinguish its output from uniform). Then, from the adversary's point of view, the source essentially 
has min-entropy k. 

Ideally, we would like to extract randomness from a weak source. However, it is easy to see that no 
deterministic function can extract even one bit of randomness from all such sources, even for min-entropies 
as high as n — 1 (see e.g. [SV84.I ). One main approach to circumvent this problem is to use a short truly 
random seed for extraction from the weak source (seeded extractors) (see, e.g., IISha02ll ). The other main 
approach, which is the focus of the current work, is to use several independent weak sources (seedless 
extractors) (e.g. IICG88I IVaz871 IDEOR041 IBou051 IRazOSI and many more). 

With the advent of quantum computation, we must now deal with the possibility of quantum adversaries 
(or quantum physical processes) interfering with the sources used for randomness extraction. For instance, 
one could imagine that a quantum adversary now stores n — k qubits of information about the string sampled 
from the source. This scenario of a bounded storage quantum adversary arises in several applications, in 
particular in cryptography. 

Some constructions of seeded extractors were shown to be secure in the presence of quantum adver- 
saries: Konig, Maurer, and Renner IIRK05[ |KMR05[ lRen05l proved that the pairwise independent extractor 
of fILL891 is also good against quantum adversaries, and with the same parameters. Konig and Terhal 
I.KT08 1 showed that any one-bit output extractor is also good against quantum adversaries, with roughly 
the same parameters. In light of this, it was tempting to conjecture that any extractor is also secure against 



quantum storage. Somewhat surprisingly, Gavinsky et al. iGKK^08t gave an example of a seeded extrac 



tor that is secure against classical storage but becomes insecure even against very small quantum storage. 
This example has initiated a series of recent ground-breaking work that examined which seeded extractors 
stay secure against bounded storage quantum adversaries. Ta-Shma IITa-0911 gave an extractor with a short 
(polylogarithmic) seed extracting a polynomial fraction of the min-entropy. His result was improved by De 
and Vidick fDVlOl extracting almost all of the min-entropy. Both constructions are based on Trevisan's 
extractor [Tr eOll . 

However, the question of whether seedless multi-source extractors can remain secure against quantum 
adversaries has remained wide open. The multi-source scenario corresponds to several independent adver- 
saries, each tampering with one of the sources, and then jointly trying to distinguish the extractor's output 
from uniform. In the classical setting this leads to several independent weak sources. In the quantum world, 
measuring the adversaries' stored information might break the independence of the sources, thus jeopardiz- 
ing the performance of the extractorjj Moreover, the multi-source setting offers a completely new aspect of 
the problem: the adversaries could potentially share entanglement prior to tampering with the sources. En- 
tanglement between several parties has been known to yield several astonishing effects with no counterpart 
in the classical world, e.g., non-local correlations IIBel64 l and superdense coding |BW92|. 

We note that the example of Gavinsky et al. can also be viewed as an example in the two-source model; 
we can imagine that the seed comes from a second source (of full entropy in this case, just Uke any seeded 



Such an effect appears also in strong seeded extractors and has been discussed in more detail in IKT08I . 



extractor can be artificially viewed as a two-source extractor). And obviously, in the same way, recent work 
on quantum secure seeded extractors artificially gives secure two-source extractors, albeit for a limited range 
of parameters and without allowing for entanglement. However, no one has as of yet explored how more 
realistic multi-source extractors fare against quantum adversaries, and in particular how entanglement might 
change the picture. We ask: Are there any good multi-source extractors secure against quantum bounded 
storage? And does this remain true when considering entanglement? 

Our results: In this paper we answer all these questions in the positive. We focus on the inner-product 
based two-source extractor of Dodis et al. LDEOR04il (DEOR-extractor). Given two independent weak 
sources X and Y with the same length n and min-entropies ki and k2 satisfying ki +k2 ^ n, this extractor 
gives m close to uniform random bits, where m ^ max{ki, k2) + ki + k2 — n. In recent years several two- 
source extractors with better parameters have been presented; however, the DEOR-construction stands out 
through its elegance and simplicity and its parameters still fare very well in comparison with recent work 
(e.g., IIBou05llRaz05l '). 

A first conceptual step in this paper is to define the model of quantum adversaries and of security in 
the two-source scenario (see Defs. |5]and[6li: Each adversary gets access to an independent weak source 
X (resp. Y), and is allowed to store a short arbitrary quantum stateo In the entangled setting, the two 
adversaries may share arbitrary prior entanglement, and hence their final joint stored state is the possibly 
entangled state pxr- In the non-entangled case their joint state is of the form pxy = px^ Py-^^ both cases, 
the security of the extractor is defined with respect to the joint state they store. 

Definition 1. [Two-source extractor against (entangled) quantum storage (informal):] A function E : 
{0,1}" X {0,1}" — >• {0,1}"' is a {ki,k2,£) extractor against (fci,b2) (entangled) quantum storage if for 
any sources X, Y with min-entropies ki, k2, and any joint stored quantum state pxY prepared as above, with 
X-register of hi qubits and Y -register of 1)2 qubits, the distribution E(X, Y) is e-close to uniform even when 
given access to pxY- 

Depending on the type of adversaries, we will say E is secure against entangled or non-entangled stor- 
age. Note again that entanglement between the adversaries is specific to the multi-source scenario and does 
not arise in the case of seeded extractors. 

Having set the framework, we show that the construction of Dodis et al. IIDEOR04I is secure, first in the 
case of non-entangled adversaries. 

Theorem 2. The DEOR-construction is a (ki,k2,£.) extractor against (fci,fc2) non-entangled storage with 
m = (l-o(l))max(fci - ^,^2- y) + 5(^1 -h+k2-b2-n) -91oge"i - 0{1) output bits, pro- 
vided ki -\-k2 — max(&i, &2) > n-\- Q(log'^(n/e)). 

As we show next the extractor remains secure even in the case of entangled adversaries. Notice the loss 
of essentially a factor of 2 in the allowed storage; this is related to the fact that superdense coding allows to 
store n bits using only n/2 entangled qubit pairs. 

Theorem 3. The DEOR-construction is a {ki, k2, £■) extractor against (bi, ^2) entangled storage with m = 
(1 — o{l))max{ki — ^2/^2 — ^1) + ^(^1 — 2iii + /c2 — 2^2 — n) — 9Ioge^^ — 0(1) output bits, provided 
ki + k2 -2max(&i,b2) > n + Q(log^(n/£)). 

Note that in both cases, when the storage is linear in the source entropy we can output Ci.{n) bits with 
exponentially small error. To compare to the performance of the DEOR-extractor in the classical case, 
note that a source with min-entropy k and classical storage of size h roughly corresponds to a source of 
min-entropy k — h (see, e.g., IITa-091 Lem. 3.1). Using this correspondence, the extractor of IIDEQR04II 



^In the setting of seeded extractors with one source, this type of adversary was called quantum encoding in ITa-091 . 



gives m = inax(A:i, A:2) + ki — hi -\- k2 — h^ — n — 61oge^^ — 0(1) output bits against classical storage, 
whenever fci + A;2 — max(foi,fo2) > n -\- Q(logn ■ (log n + loge^^)). Hence the conditions under which 
we can extract randomness are essentially the same for DEOR and for our Thm. [2l The amount of random 
bits we can extract is somewhat less than in the classical case, even when disregarding storage. 

In the non-entangled case, we are able to generalize our result to the stronger notion of guessing entropy 
adversaries or so called quantum knowledge (see discussion below and Sec.[5]for details). We show that the 
DEOR-extractor remains secure even in this case, albeit with slightly weaker parameters. 

Theorem 4. The DEOR-construction is a {ki,k2,£.) extractor against quantum knowledge with m = (1 — 
o(l)) msix{ki,k2) + \{ki+k2 — n) — 91oge^^ — 0(1) output bits, provided ki +k2> n + n(log^(n/e)). 

Strong extractors: The extractor in Thms.|2l[3]and|4]is a so called weak extractor, meaning that when 
trying to break the extractor, no full access to any of the sources is given (which is natural in the multi- 
source setting). We also obtain several results in the so called strong case (see Cor. [T5j Lem. [I9j Cor. [29] 
and Lem. [30l ). A strong extractor has the additional property that the output remains secure even if the 
adversaries later gain full access to any one (but obviously not both) of the sources^ See Sec. |2]for details 
and a discussion of the subtleties in defining a strong extractor in the entangled case, and Sees. [3l|4] and |5] 
for our results in the strong case. 

Tightness: In the one-bit output case, we show that our results are tight, both in the entangled and 
non-entangled setting (see Lem. [17]). 

Proof ideas and tools: To show both of our results, we first focus on the simplest case of one-bit outputs. 
In this case the DEOR extractor I.DEOR04J simply computes the inner product E{x,y) = x • y (mod 2) 
of the n-bit strings x and y coming from the two sources. Assume that the two adversaries are allowed 
quantum storage of b qubits each. Given their stored information they jointly wish to distinguish E{x,y) 
from uniform, or, in other words, to predict x ■ y. We start by observing that this setting corresponds to the 
well known simultaneous message passing (SMP) model in communication complexityjj where two parties, 
Alice and Bob, have access to an input each (which is unknown to the other). They each send a message 
of length b to a referee, who, upon reception of both messages, is to compute a function E{x,y) of the 
two inputs. When E is hard to compute, it is a good extractor. Moreover, the entangled adversaries case 
corresponds to the case of SMP with entanglement between Alice and Bob, a model that has been studied 
in recent work (see e.g. IIGKRdW09[ lGKdW06ll ). 

Before we proceed, let us remark, that there are cases, where entanglement is known to add tremendous 
power to the SMP model. Namely, Gavinsky et al. ||GKRdW09l showed an exponential saving in communi- 
cation in the entangled SMP model, compared to the non-entangled casejj This points to the possibility that 
some extractors can be secure against a large amount of storage in the non-entangled case, but be insecure 
against drastically smaller amounts of entangled storage. Our results show that this is not the case for the 
DEOR extractor, i.e., that this construction is secure against the potentially harmful effects of entanglement. 

In the one-bit output DEOR case we can tap into known results on the quantum communication com- 
plexity of the inner product problem (IP). Cleve et al. IICvDNT98ll and Nayak and Salzman [NS06II have 
given tight lower bounds in the one-way and two-way communication model, with and without entangle- 
ment (which also gives bounds in the SMP model). For instance, in the non-entangled case, to compute 
IP exactly in the one-way model, n qubits of communication are needed, and in the SMP model, n qubits 
of communication are needed from Alice and from Bob, just Uke in the classical case. Note that whereas 



■'in IDEOR04I . this is called a strong blender. 

^The connection between extractors and communication complexity has been long known, see, e.g., IVaz87| . 

^This result has been shown for a relation, not a function. It is tempting to conjecture that this result can be turned into an 
exponential separation for an extractor with entangled vs. non-entangled adversaries. It is, however, not immediate how to turn a 
worst case relation lower bound into an average case function bound, as needed in the extractor setting, so we leave this problem 
open. 



in the communication setting typically worst case problems are studied, extractors correspond to average 
case (w.r.t. to weak randomness) problems. With some extra work we can adapt the communication lower 
bounds to weak sources and to the average bias which is needed for the extractor result. In fact, the results 
we obtain hold in the strong case (where later one of the sources is completely exposed), which corresponds 
to one-way communication complexity. 

Tightness of our results comes from matching upper bounds on the one-way and SMP model commu- 
nication complexity of the inner product. Adapting the work of I1CG8 8 1 we can obtain tight bounds for any 
bias £. Somewhat surprisingly, it seems no one has looked at tight upper bounds for IP in the entangled 
SMP model, where ||CvDNT98l give an n/2 lower bound for the message length for Alice and Bob. It turns 
out this bound is tightjj which essentially leads to the factor 2 separation in our results for the entangled vs. 
non-entangled case (see Sec.O. 

To show our results for the case of multi-bit extractors, we use the nice properties of the DEOR con- 
struction (and its precursors IIVaz87[ IDQ03II ). The extractor outputs bits of the form Ax ■ y. Vazirani's 
XOR-Lemma allows to reduce the multi-bit to the one-bit case by relating the distance from uniform of the 
multi-bit extractor to the sum of biases of XOR's of subsets of its bits. Each such XOR, in turn, is just a 
(linearly transformed) inner product, for which we already know how to bound the bias. Our main techni- 
cal challenge is to adapt the XOR lemma to the case of quantum side-information (see Sec. Iljl. This way 
we obtain first results for multi-bit extractors, which even hold in the case of strong extractors. Following 
IIDEOR0 4I. we further improve the parameters in the weak extractor setting by combining our strong two- 
source extractor with a good seeded extractor (in our case with the construction of [iDPVR09| ) to extract 
even more bits. See Sec.|4]for details. 

Guessing entropy: One can weaken the requirement of bounded storage, and instead only place a lower 
bound on the guessing entropy of the source given the adversary's storage, leading to the more general 
definition of extractors secure against guessing entropy. Informally, a guessing entropy of at least k means 
that the adversary's probability of correctly guessing the source is at most 2^^ (or equivalently, that given 
the adversary's state, the source has essentially min-entropy at least k). Working with guessing entropy has 
the advantage that we no longer have to worry about two parameters (min-entropy and storage) instead only 
working with one parameter (guessing entropy), and that the resulting exti^actors are stronger (assuming 
all other parameters are the same), see Sec. [5] In the classical world, a guessing entropy of k is more or 
less equivalent to a source with k min-entropy; in the quantum world, however, things become less trivial. 
In the case of seeded extractors, this more general model has been successfully introduced and studied 
in IIRen05 1 IKT08 [ lFS08l |DP VR091 ITS SR 1 01 . where several constructions secure against bounded guessing 
entropy were shownO 

In the case of non-entangled two-source extractors, we can show (based on IIKT08II ) that any classical 
one-bit output two-source extractor remains secure against bounded guessing entropy adversaries, albeit 
with slightly worse parameters. Moreover, our XOR-Lemma allow us prove security of the DEOR-extractor 
against guessing entropy adversaries even in the multi-bit case (Thm.Hl see Sec.[5]for the details)|j 

In the entangled adversaries case, one natural way to define the model is to require the guessing entropy 
of each source given the corresponding adversary's storage to be high. This definition, however, is too 
strong: it is easy to see that no extractor can be secure against such adversaries. This follows from the 
observation that by sharing a random string rir2 (which is a special case of shared entanglement) and having 
the first adversary store ri © x, Vi and the other store r\, r2 © y, we keep the guessing entropy of X (resp. 
Y) relative to the adversary's storage unchanged yet we can recover x and y completely from the combined 
storage. 



^We thank Ronald de Wolf |dW10| for generously allowing us to adapt his upper bound to our setting. 

^Renner IRenOS | deals with the notion of relative min-entropy, which was shown to be equivalent to guessing entropy IKRS09I . 
We are grateful to Thomas Vidick for pointing out that our XOR-Lemma allows us to obtain results also in this setting. 



Hence we are naturally lead to consider the weaker requirement that the guessing entropy of each source 
given the combined storage of both adversaries is high. We now observe that already the DEOR one-bit 
extractor (where the output is simply the inner product) is not secure under this definition, indicating that 
this definition is still too strong. To see this, consider uniform n-bit sources X, Y, and say Alice stores 
X © r, and Bob stores y ®r, where r is a shared random string. Obviously, their joint state does not help in 
guessing X (or Y), hence the guessing entropy of the sources is still n; but their joint state does give x®y. 
If, in addition, Alice also stores the Hamming weight |x| mod 4 and Bob \y\ mod 4, the guessing entropy 
is barely affected, and indeed one can easily show it is n — 0(1). However, their information now suffices 
to compute x ■ y exactly, since x ■ y = ^((l^l + |y| ~ l^®y|) mod 4). Hence inner product is insecure in 
this model even for very high guessing entropies, even though it is secure against a fair amount of bounded 
storage. 

In light of this, it is not clear if and how entangled guessing entropy sources can be incorporated into the 
model, and hence we only consider bounded storage adversaries in the entangled case. 

Related work: We are the first to consider two-source extractors in the quantum world, especially against 
entanglement. As mentioned, previous work on seeded extractors against quantum adversaries FRKOSl 
IKMR05[ iReiiOSl IKT08[ ITJ^ iDVTOl IDPVR091 IBTTOII gives rise to trivial two-source extractors where one 
of the sources is not touched by the adversaries. However, the only previous work that allows to derive 
results in the genuine two-source scenario is the work by Konig and Terhal IIKT08II . Using what is implicit 
in their work, and with some extra effort, it is possible to obtain results in the one-bit output non-entangled 
two-source scenario (which hold against guessing entropy adversaries, but with worse performance than our 
results for the inner product extractor), and we give this result in detail in Sec. [51 Moreover, [KT08J show 
that any classical multi-bit extractor is secure against bounded storage adversaries, albeit with an exponential 
decay in the error parameter. This easily extends to the non-entangled two-source scenario, to give results in 
the spirit of Thm.|2l We have worked out the details and comparison to Thm. |2]in App. JA] Note, however, 
that to our knowledge no previous work gives results in the entangled scenario. 

Discussion and Open Problems: We have, for the first time, studied two-source extractors in the quantum 
world. Previously, only seeded extractors have been studied in the quantum setting. In the two-source 
scenario a new phenomenon appears: entanglement between the (otherwise independent) sources. We have 
formalized what we believe the strongest possible notion of quantum adversaries in this setting and shown 
that one of the best performing extractors, the DEOR-construction, remains secure. We also show that our 
results are tight in the one-bit output case. 

Our results for the multi-bit output DEOR-construction allow to extract slightly less bits compared 
to what is possible classically. An interesting open quesiotn is whether it is possible to obtain matching 
parameters in the (non-entangled) quantum case. One might have to refine the analysis and not rely solely 
on communication complexity lower bounds. Alternatively, our quantum XOR-Lemma currently incurs a 
penalty exponential in either the length of the output or the length of the storage. Any improvement here 
also immediately improves all three main theorems. In particular, by removing the penalty entirely, Thm. |2] 
can be made essentially optimal (with respect to the classical case). 

We have shown that inner product based constructions are necessarily insecure in two reasonable models 
of entangled guessing entropy adversaries (and hence that bounded storage adversaries are the more appro- 
priate model in the entangled case). It should be noted that it is possible that other extractor constructions 
(not based on inner product) could remain secure in this setting, and this subject warrants further exploration. 

As pointed out, it is conceivable that entanglement could break the security of two-source extractors. Ev- 
idence for this is provided by the communication complexity separation in the entangled vs. non-entangled 
SMP-model, given in fGKRdW09|. A fascinating open problem is to turn this relational separation into an 
extractor that is secure against non-entangled quantum adversaries but completely broken when entangle- 
ment is present. 



Our work leaves several other open questions. It would be interesting to see if other multi-source ex- 
tractors remain secure against entangled adversaries, in particular the recent breakthrough construction by 
Bourgain I BouOSI which works for two sources with min-entropy (1/2 — a.)n each for some small constant 
a, or the construction of Raz MRazOSI . where one source is allowed to have logarithmic min-entropy while 
the other has min-entropy slightly larger than n/2. Both extractors are based on the inner product and output 
n(n) almost uniform bits. 

And lastly, it would be interesting to see other application of secure multi-source extractors in the quan- 
tum world. One possible scenario is multi-party computation. Classically, Kalai et al. IIKLR09II show that 
sufficiently strong two-source extractors allow to perform multi-party communication with weak sources 
when at least two parties are honest. Perhaps similar results hold in the quantum setting. 

Structure of the paper: In Sec.|2]we introduce our basic notation and definitions, and describe the DEOR 
construction. Here we also present one of our tools, the "quantum" XOR-Lemma. Sec. [3] is dedicated to 
the one-bit output case and the connection to communication complexity and gives our tightness results. In 
Sec.lHwe deal with the multi-bit output case and prove our main result, Thms.|2]and|3] In Sec.[5]we present 
our results against non-entangled guessing entropy adversaries (partly based on [KT08]) and prove Thm. |4] 
App. |A] works out the results that can be derived from IIKT08I in the case of multi-bit extractors against 
non-entangled bounded storage. 

2 Preliminaries and Tools 

In this section we provide the necessary notation, formalize DefUl describe the DEOR-extractor and present 
and prove our quantum XOR-Lemma. For background on quantum information see e.g. MNCOOI I. 

Notation: Given a classical random variable Z and a set of density matrices {pz}zez ^^ denote by Zpz the 
cq-state J^z^z Pr[2 = z] |z) (z| ® pz- When the distribution is clear from the context we write p(z) instead of 
Pr[Z = z]. For any random variable Z' on the domain of Z, we define pz' '■= Lizez' Pr[Z' = z]pz- For any 
random variable Y, let Ypz '■= Lii/ey Pr[y = y] \y) {y\ (8) pz\Y=y We denote by Um the uniform distribution 
on m bits. For matrix norms, we define \A\^^ = j \\A\\^ = ^Tr{VA^A) and ||A||2 = y/Tr{A^A). 
Extractors against quantum storage: We first formalize the different types of quantum storage. 

Definition 5. For two random variables X, Y we say pxY is a (&i, ^2) entangled storage if it is generated 
by two non communicating parties, Alice and Bob, in the following way. Alice and Bob share an arbitrary 
entangled state. Alice receives x E X, Bob receives y E Y. They each apply any quantum operation on 
their qubits. Alice then stores b\ of her qubits (and discards the rest), and Bob stores ^2 of his qubits, giving 
the state pxy. 

We denote by p^y the state obtained when Alice stores her entire state, whereas Bob stores only ^2 
qubits of his, and similarly for Pxy 

We say pxr is (fci, ^2) non-entangled storage ifpxy = Px® Pyfor all x E X,y E Y. 

The security of the extractor is defined relative to the storage. 

Definition 6. A (ki,k2,£) 2-source extractor against (bi, ^2) (entangled) quantum storage is a function 
£:{0, 1} x{0, 1} —7- {0,1} such that for any independent n-bit weak sources X,Y with respective 
min-entropies ki,k2, and any (fci,fc2) (entangled) storage pxr, \^0^,'^)pxY — UmPxY\^y- < £■ 

The extractor is called X-strong ;/ |£(X, Y)pxY^ ~ L^wiPxY^ltr — ^' ^""^ X-superstrong when pxY is 
replaced by p^y- ^^ is called (super)strong if it is both X- and Y- (super)strong. 

A note on the definition: A strong extractor is secure even if at the distinguishing stage one of the sources 
is completely exposed. A superstrong extractor is secure even if, in addition, the matching party's entire state 



is also given. Without entanglement, the two are equal, as the state can be completely reconstructed from 
the source. In the communication complexity setting the model of strong extractors corresponds to the SMP 
model where the referee also gets access to one of the inputs, whereas the model of superstrong extractors 
corresponds to the one-way model, where one party also has access to its share of the entangled state. 

To prove E is an extractor, it suffices to show that it is either X-strong or Y-strong. All our proofs follow 
this route. 

Flat sources: It is well known that any source with min-entropy A; is a convex combination of flat sources 
(i.e., sources that are uniformly distributed over their support) with min-entropy k. In what follows we will 
therefore only consider such sources in our analysis of extractors, as one can easily verify that 

\E{X,Y)pxY - UinPxrltr ^ ni^^ E(X,v Y/)px,y; - Umpx^Y: 

where X = I^a,X, and Y = I^jSyY, are convex combinations of flat sources. 

The DEOR construction: The following (strong) extractor construction is due to Dodis et al. IIDEOR04I . 
Every output bit is a linearly transformed inner product, namely AiX ■ y for some full rank matrix Ai, where 
X and y are the n-bit input vectors. Here x ■ y := Y^^i Xjyj (mod 2). The matrices A; have the additional 
property that every subset sum is also of full rank. This ensures that any XOR of some bits of the output is 
itself a linearly transformed inner product. 

Lemma 7 (fDEOR04T). For all n > 0, there exist an efficiently computable set ofn x n matrices A\, A^, ■ ■ ■ , An 
over GF(2) such that for any non-empty set S Q [n], Ag := J^j^s -^i has full rank. 

Definition 8 (strong blender of IIDEOR04I ). Let n > m > 0, and let {A,}|^^ be a set as above. The 
DEOR-extractor Eu : {0, 1}" x {0, 1}" ->■ {0, 1}"' is given by Ejj{x,y) = AxX ■ y, A2X ■ y, . . . , A^x ■ y. 

The XOR-Lemma: Vazirani's XOR-Lemma IIVaz87l relates the non-uniformity of a distribution to the 
non-uniformity of the characters of the distribution, i.e., the XOR of certain bit positions. For the DEOR- 
extractor it allows to reduce the multi-bit output case to the binary output case. 

Lemma 9 (Classical XOR-Lemma IIVaz871lGol95ll ). For every m-bit random variable Z 

\Z-Um\\< Y. l(S-Z)-Lri|?. 

0/SG{0,l}"' 

This lemma is not immediately applicable in our scenario, as we need to take into account quantum side 
information. For this, we need a slightly more general XOR-Lemma. 

Lemma 10 (Classical-Quantum XOR-Lemma). |^ Let Zpz be an arbitrary cq-state, where Z is an m-bit 
classical random variable and pz is of dimension 2 . Then 

\Zpz - Urnpzll < 2"^^"^''"' ■ E l(S ■ Z)pz - U^pzll. 

0/SG{0,l}"' 

Proof. Following the proof of the classical XOR-Lemma in ||Gol95ll . we first relate \\Zpz — U,nPz\\i ^'^ 
\\Zpz — UmPzWi^ ^^'^ ^^^^ ^i^^ ^Pz ~ UmPz in the Hadamard (or Fourier) basis, giving us the desired 
result. We need the following simple claim. 

Claim 11. For any Boolean function f , \\f{Z)pz — L7ijOz||i = I^zi~'^)^^^''p{^)P 



'We thank Thomas Vidick for pointing out that we can also have a bound in terms of m and not only d. 



Proof. Denote p^ = YLz:f{z)^b P{^)Pz for b = 0,1- Then p^ = po + pi and 



\\f{Z)pz-U^pz\\, 



|0)(0| ^po+ |1>(1| ^Pi - 2(|0)(0| + |1>(1|) ^ (Po + Pi) 
|||0)(0|^(po-pi) + |l)(l|^(pi-po)|li 



\\po-pi\\i 



X:(-l)^(^V(z)p. 



(1) 

D 



Let;ts(z) = (-1)^'^ for S G {0,1}"'. Denote D = 2'^,M = T\ and a^ = v{^)pz - mPz- Then 



\Zpz - UmPzWi 



EI-)( 



z (K)C7-, 



(H®'"^7d) X]|2)(2|^'^n (H'^"'^-fD) 



1 

M2 



z,y,S 



< 



D 

M 



E \y){s\(^xs{z)xy{zyz 

z,y,S 



(2) 



where H is the Hadamard transform. 

II II 2 II II 2 

Factor D: Using the fact that the || • II2 of a matrix is the sum of || • II2 of its (D x D) sub-blocks, together 

withxs{z)Xy{z) = ;ry+s(z) and ||-||2 < |H|i, © gives 



\\zpz-u„pz\\i<^j:e 

^ y s 



E;cy+s(z)^2 



oE 



E^s(z)c 



<oE 

2 s 



E^S(Z)^2 

z 



• (3) 



Using Claim [TT] with /(Z) = S ■ Z, we get 



Ell(S-Z)pz-UiPz||?=E 
S/0 s^o 



E^s(z)p(zV2 



= E 

1 s/o 



E^s( 



Z (7, 



= E 

1 s 



E^s( 



Z C7V 



, (4) 



where the second equality holds since Xs is balanced, and the third since ^^ '^z = 0. Combining Eqs. ([3]) 
and (ID) gives the desired result. 

Factor M: Restarting from the next-to-last step of Q, using again ;^s(z)Xy(z) = Xy+s{z) and the triangle 
inequality, we obtain 



\\Zpz -UmPzWl ^ 



M2 



E 



Ely)(s + y|^ E^s(z)c7-z 



< 



M 



E 



Ely)(s + y|® E;^s(z)c7-z 
y \ z 



M-E 



E^s( 



Z cr. 



where the last step follows from the observation that the matrices inside the norms are of the form P (^ B 
where P is a permutation matrix. In this case ||P(8)B||^ = dim(P) ■ ||B||i = M- ||B||^. As before, 
combining this with Eq. ^ gives the desired bound. D 



3 Communication Complexity and One-Bit Extractors 

3.1 Average case lower bound for inner product 

Cleve et al. ||CvDNT98ll give a lower bound for the worst case one-way quantum communication complexity 
of inner product with arbitrary prior entanglement. It is achieved by first reducing the problem of computing 
the inner product to that of transmitting one input over a quantum channel, and then using an extended 
Holevo bound. Nayak and Salzman IINS06I obtained an optimal lower bound by replacing Holevo with a 
more "mission-specific" bound: 

Theorem 12 ( IINS06I . Thm 1.3 and discussion thereafter). Let X be an n-bit random variable with min- 
entropy k, and suppose Alice wishes to convey X to Bob over a one-way quantum communication channel 
using b qubits. Let Y be the random variable denoting Bob's guess for X. Then 

L Pr[y = X] < 2^' ', if the parties don't share prior entanglement, and 
2. Pr[y = X] < 2-('^-2b)_ 

Revisiting Cleve et al.'s reduction, we now show how to adapt it to flat sources, to the average case error 
and to the linearly transformed inner product. The main challenge is to carefully treat the error terms so as 
to not cancel out the (small) amplitude of the correct state. 

Lemma 13. Let X, Y be flat sources over n bits with min-entropies ki, k2, and A, Bfull rank nbyn matrices 
over GF{2). Let P be ah qubit one-way protocol for {AX) ■ {BY) with success probability ^ + £■ Then 

(a) £ < 2^('^i+'^2-2b-n+2)/2^ if the parties share prior entanglement and 

(b) £ < 2-(''^+''^-^-"+^^/^ otherwise. 

Proof. Let us first consider the case A = B = I. Assume w.l.o.g. Bob delays his operations until re- 
ceiving the message from Alice and that in his first step he copies his input, leaving the original untouched 
throughout. Further assume Bob outputs the result in one of his qubits. 

For a fixed x, denote the success probability of P by ^ + £x i^x might be negative). Denote Bob's state 
after receiving the message as |i/) 10)1^7^), where dx is taken to contain Alice's message and Bob's prior 
entangled qubits as required by the protocol (if present). The rest of the protocol is now performed locally 
by Bob. We denote this computation Pg. After applying Pg, Bob's state is of the form 

«T,i/|y) k • y) l/.T,y) + ^x,y\y) |r^) |KT,y), 

and by assumption, ^yj5^y = ^ — Ex. Following the analysis in ||CvDNT98ll . using clean computation, 
where the output is produced in a new qubit (the leftmost), gives the state 

\z + X ■ y)\y)\0)\(Tx) + V2^x,y\Mx,y,z), 



where \Mx,y,z) = ( -7^ l^ + ^ ■ y) 75 |z + ^ • y) ) Pg ly) |^ • y) \Kx,y) . Observe the following properties of 

M: 1. \Mx,yfi) = ~\Mx,y,i) 2. As 1/ G Y varies, the states \Mx,y,z) are orthonormal. 3. Since Pg does 
not affect the first n (so called input) qubits, \Mx,y,z) is orthogonal to states of the form \a)\y') (8) | ■) for all 
a e {0,1}, y eY,y' ^Y. 

We now use the following steps to transfer X from Alice to Bob: 



1. Bob prepares the state VF^2^-i:j/gy„g{0,i}(-l)1«)ly)- 

2. Alice and Bob execute the clean version of P. 



3. Bob performs the Hadamard transform on each of his first n + 1 qubits and measures in the computa- 
tional basis. 

After the second step, Bob's state is \tp) = \v) + e where 



yGY,HG{0,l} yeY,ae{0,l} 



By the properties of \Mx,y,z), ||?|| = '^J^y^]c,y = '^\j\ ~ ^x- Since \v) + e and \v) are normalized states, 
we can easily derive (y| (|y) + e ) = Itx- Define 



y^y,flG{0,l} 

and note that the second term is orthogonal to both \v) and e. It follows that {ip\^o) = vTF^^^Sx. 
Applying the Hadamard transform in Step 3. does not affect the inner product, and so Bob will measure | Ix) 
with probability 2'^2-"+2 . ^2 Applying Thm. ll2lT] and ll2l2] along with Jensen's inequality now completes 
the proof. 

For the general case where A ^ I or B y^ I, we modify Step 3. of the transmission protocol. Instead 
of the Hadamard transform. Bob applies the inverse of the unitary transformation \z)\x) i— )■ Vl^"^^ ■ 
lLy,ai~'^y'^^^^^'^'^^^'^ 1^) \y)- It is easy to check that this gives the desired result. D 

3.2 One bit extractor 

When the extractor's output is binary, distinguishing it from uniform is equivalent to computing the output 
on average. This was shown by Yao IIYao82ll when the storage is classical and is trivially extended to the 
quantum setting. With this observation, reformulating Lem.[T3]in the language of trace distance yields a one 
bit extractor. 

Corollary 14. The function Eip(x,y) = x -y is a {ki,k2,t) extractor against (bi, ^2) (entangled) quantum 
storage provided 

(a) (entangled) ki +k2 — 2min(fci, ^2) > n — 2 + 21oge^^, 

(b) (non-entangled) ki + k2 — min(bi, ^2) > n — 2 + 21oge^^. 

Proof. With Yao's equivalence, Lem.[T3l(|all immediately gives 

I (AX ■ Y)pxyX - UpxyX]^^ < 2-('^i+'^2-2fc2-n+2)/2 (5) 

I (AX • Y)pxyY - UpxyYlir < 2-('^i+'^2-2^i-"+2)/2 (6) 

for any full rank matrix A, and specifically for A = I. By the assumption on e, Ejp is either Y-strong or 
X-strong. Repeating this argument with Lem.[T3](|bll gives the non-entangled case. D 

Recall (see Def. |6]and discussion thereafter) that one-way communication corresponds to the model of 
superstrong extractors. It is not surprising then that Lem. [13] actually implies a superstrong extractor. By 
choosing e in the above proof of Cor. [T4]such that both inequalities ^ and Q are satisfied, where we replace 
PxY by p^Y to include Alice's complete state as well as Bob's entangled qubits and similarly for p^ , we 
obtain: 

Corollary 15. The function Ejp{x,y) = x ■ y is a {k-[,k2,£) superstrong extractor against (bi,i'2) (entan- 
gled) quantum storage provided 
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(a) (entangled) ki -\-k2 — 2inax(foi, b2) > n — 2 + 21oge ^, 

(b) (non-entangled) ki +k2 — max{b-[,b2) > n — 2 + 21og£^^. 

We now show that the parameters of all our extractors are tight up to an additive constant. For simplicity, 
assume first that the error e is close to 1/2, the sources are uniform and bi = b2 '■= b. Cor. [T4l then states 
that Ejp is an extractor as long as fo < n in the non-entangled case and b < n/2 in the entangled case. 
Indeed, in the non-entangled case it is trivial to compute the inner product in the SMP model (i.e., break the 
extractor) when b > n. With entanglement, b > n/2 suffices as demonstrated by the following protocol, 
adapted from a protocol by de Wolf BdWlOL 

Claim 16. The inner product function for n bit strings is exactly computable in the SMP model with entan- 
glement with n/2 + 2 qubits of communication from each party. 

Proof. Let x,y G {0,1}" be Alice and Bob's inputs. Since x ■ y = \{{\x\ + \y\ — \x ® y\) mod 4), it 
suffices to show that the referee can compute x®y with n/2 qubits of communication from each party, or 
simply X1JC2 © 1/11/2 with one qubit of communication each. 

Denote the Pauli matrices ctoq = /, (Tqi = -Z, cr^o = ^^ ^n = -ZX. Given a shared EPR pair, Alice 
applies (1x^x2 to her qubit and sends it to the referee, and Bob does the same with 0'y^y2- Note that applying 
(71,^1,2 to the first qubit has the same effect as applying it to the second qubit. Further, X is applied iff b-[ 
is 1 and Z is applied iff ^2 is 1 ■ Since two applications of X (Z) cancel each other out, we have that X is 
applied to the first qubit iff x^ +yi = 1 and Z is applied to the first qubit iff X2 + 1/2 = 1- The net effect on 
the EPR state is crxj^x2eyiy2 ^ ^- ^'^^ ^^^^ value of X1X2 1/1I/2 this gives one of the orthogonal (completely 
distinguishable) Bell states. D 

Showing that our results are tight for arbitrary e is trickier. We show 

Lemma 17. IfEjp = x ■ y is a (fci, k2, e) extractor against {bi, ^2) (entangled) storage then 

(a) (entangled) k^ -\-k2 — 2 min(fci, ^2) > n — 9 + 2 log e^^, 

(b) (non-entangled) ki +k2 — mm(&i, ^2) > n — 5 + 21oge^^. 

If Ejp is superstrong, then 

(a) (entangled) ki -\-k2 — 2 max(foi, ^2) > n — 9 -\-2 log e^^, 

(b) (non-entangled) ki +k2 — max{b-[,b2) > n — 5 + 21oge^"^. 

Proof. We give a slightly modified version of Proposition 10 in IICG88II . taking into account quantum side 
information. We need the following theorem. 

Theorem 18 ( IICG88I Theorem 3]). There exist independent random variables X,Y on I bits with min- 
entropy I - 3 eac^such that Pr[X ■ Y = 0] > i + 2-('-i)/2. 

We start in the weak extractor setting with entanglement. We construct sources X, Y with min-entropy 
k-[,k2 and (&i, ^2) entangled quantum storage pxr for which the error will be "large". Let b = 2(min(bi, ^2) ■ 
2), and let A = ki + k2 — n. If A < fc, we pick X to be uniform on the first ki bits and elsewhere, Y 
uniform on the last k2 bits and elsewhere. The inner product of X, Y is then the inner product of at most b 
bits, and can be computed exactly using the SMP protocol in Claim[T6]with mm(bi, ^2) qubits from each. 

In the case A > fo, we define X = X1X2X3X4 as follows: Xi is uniform on b bits, X2 is uniform on 
fci - A - 3 bits, X3 is the first {A + 6 - b,A + 3 - b) source promised by Thm.[T8](for I = A + 6 - b), 
and X4 is constant 0"^'^i^'^. Analogously, Y = Y1Y2Y3Y4 is defined as: Yi is uniform on b bits, Y2 is 



'" [CG88< prove the claim with slightly different parameters for arbitrary Boolean functions. Our modification is trivial. 

11 



constant 0"^^^^^, Y3 is the second (A + 6 — fo, A + 3 — &) source promised by Thm.fTSl and ¥4 is uniform 
on /:2 — A — 3 bits. It is easily verified that Hoo(X) > k^ and Hoo(Y) > ^2- Finally, we set pxr to be 
the entangled {mm{bi,b2),mm{b-[,b2)) storage of the SMP protocol in Claim [T6] allowing us to compute 
Xi ■ yi exactly, and M the measurement strategy of the referee. Applying Thm. \TE\ 

Pr[M(|Oxy) = X ■ Y] = Pr[Xi ■ Y^ = X ■ Y] = Pr[X3 • Y3 = 0] > ^ + 2-(^+5-'')/2 

and |(X ■ Y)pxY - Upxrltr > 2-('^i+'^2-b-f!+5)/2_ 

In the non-entangled case, we simply set b = min(i'i, ^2) and replace the SMP protocol with a trivial 
protocol for IP on b bits]' 'I 

In the superstrong case with entanglement, assume w.l.o.g. that foi > ^2 and choose b = b\l1. We then 
let |Ojy be the entangled state that appears in the superdense coding protocol for Xj. Thus, exposing Bob's 
state allows us to compute Xi ■ Y\ exactly. Without entanglement, we set b = b\ and have Ahce send Xi to 
Bob. D 

4 Many Bit Extractors 

Here we prove our main Theorems |2] and [3l First, using our quantum XOR-Lemma[T0l we obtain results in 
the strong case. 

Lemma 19. Eu is a {ki,k2,£) X-strong extractor against {bi,b2) (entangled) quantum storage provided 

(a) (entangled) /ci + /c2 - 2&2 > 2m + n - 2 + 2 log £"\ 

(b) (non-entangled) ki+k2 — b2> 1m + n — 2 + 2 log er^. 

Proof. Recall that £0(^,1/) = M^ ■ y,M^ ■ y,...,AmX ■ y (see Def. [H). For 7^ S € {0,1}'", let 
As = YLi:S^i Ai and note that S ■ E[x,y) = A^x ■ y. By the XOR-Lemma [TOl 



|E(X,Y)pxyX- ii„,pxyX|t, < . 2^ Y. K^sX ■ Y)pxyX - iiipxyX|'^. 

V S/0 

The result then follows by Ineq. ^ in the proof of Cor. [14] and its non-entangled analogue. D 

In a similar way, we also obtain a Y-strong extractor with analogous parameters. Following IIDEQR04I . 
we now apply a seeded extractor against quantum storage (see Def. |20l ) to the output of an X-strong (Y- 
strong) extractor to obtain a two-source extractor with more output bits (see Lem.l2TI). 

Definition 20 ( IITa-0911 ). A function E : {0, 1}" x {0, 1}'* -^ {0, 1}'" is a {k,£) seeded extractor against b 
quantum storage if for any n-bit source X with min-entropy k and any b qubit quantum storage px, 

\E{X,Ud)Px-Umpx\tr < £• 

Lemma 21. Let Eg : {0,1}" x {0,1}" —?■ {0,1} be a {ki,k2,£) X-strong extractor against (bi,b2) 
(entangled) quantum storage, and let Eg : {0,1} x{0, 1} — >{0, 1} andE{x,y) = Ec,{x,E^[x,y)). 

(a) (entangled) IfEs is a (ki, e) seeded extractor against bi + ^2 quantum storage then E is a (ki, ^2, 2e) 
extractor against (fci, ^2) entangled quantum storage. 



In fact, this shows that our non-entangled extractor is tight even for classical storage. 
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(b) (non-entangled) If Eg is a {ki, e) seeded extractor against hi quantum storage then E is a (ki, ^2, 2e) 
extractor against (foi, ^2) non-entangled quantum storage. 

Proof. Part (a): \Eb{X,Y)pxyX -U^pxr^lr < e and so \Es{X,Eb{X,Y))pxy - Es{X,Ud)pXY\,r < 
e. But \Es{X,Ui])pxY ~ UmPxrltr — ^ ^y definition of Eg. The result follows from the triangle in- 
equahty. For part (b) note that when the storage is non-entangled, \Es{X,Ud)pxPY — LZmPxPrltr = 
\Es{X, Ud)px — fimPxItr' ^^'^ i*^ suffices to require that Eg be a seeded extractor against only &i quantum 
storage. D 

A seeded extractor with almost optimal min-entropy loss is given in IIDPVR091 . Their extractor is secure 
against guessing entropy sources, and so trivially against quantum storage IIKT08II (see Sec. [5] for details). 
We reformulate the seeded extractor in terms of Def . 



Corollary 22 ( ||DPVR09[ Corrolary 5.3]). There exists an explicit [k, e) seeded extractor against b quantum 
storage with seed length d = 0(log"'(n/£)) and m = d-\-k—b — 81og(A: — b) — 81oge^^ — 0(1) output 
bits. 

The proofs of Thms.[3]and|2]now follow by composing the explicit extractors of Lem.[T9]and Cor.l22]as 
in Lem. |2T] 

Proof of Theorem |3l £d is an X-strong extractor against entangled storage with ^ (^i + ^2 — 2^2 — 
n — 21og£^^) almost uniform output bits. This is larger than 0(log (n/e)) when ki + k2 — 2^2 > n + 
n(log (n/e)), allowing us to compose it with the seeded extractor secure against bi + ^2 storage of Cor. [22] 
on the source X, obtaining m = ^(^1 + ^2 — 2b2 — n — 21og£^^) + (fci — bi — bz) — 81og(A;i — bi — bz) — 
Sloge^^ — 0(1). Similarly, E^ is a Y-strong extractor, and can be composed with the seeded extractor on 
the source Y. Choosing the better of the two, we prove the desired resulto D 

Proof of Theorem S Eo is an X-strong extractor against non-entangled storage with ^(^1 + ^2 — ^2 — 
n — 21og£^^) almost uniform output bits. This is larger than 0(log (n/e)) when ki -\- k2 — h^ > n -\- 
Q(log (n/e)). Composing with the seeded extractor secure against &i storage of Cor. |22]on the source 
X gives m = \{ki +k2 - hi - n - 21og£"^) + (fci - &i) - 81og(/ci - bi) - 81og£"^ - 0(1), and 
similarly for Y. D 



5 Guessing Entropy Adversaries 

In previous sections, we considered extractors in the presence of quantum adversaries with limited storage. 
A stronger notion of quantum adversary was also studied in the literature IIRen051 IKT081 IFS081 IDPVR091 
ITSSRIOL 

Definition 23 ( IIKT08II ). Let Xpx be an arbitrary cq-state. The guessing entropy ofX given px is 

Hg{X ^ Px) := -logmaxE;c^x[Tr(Mx|Ox)], 

where the maximum ranges over all POVMs M = {Mx}j^x- 

Considering the probability distribution on the support of X induced by measuring with M on px 
(which we denote by M{px)), the above can be perhaps more easily understood as H^(X -(— px) = 
— logmaxMPr[M(|Ox) = X]. Renner |Ren05| considered sources with high relative min-entropy, rather 
than guessing entropy. The two were shown to be equivalent [KRS09|. 



We slightly sacrifice the parameters in the formulation of the theorem to simplify the result. 
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We can now define two-source extractors secure against non-entangled guessing entropy adversaries. 
Recall that in the non-entangled case the bounded storage is given by px (8) fy (see Def.[5]). Here, we place 
a limit not on the amount of storage, but on the amount of information, in terms of guessing entropy, the 
adversaries have on their respective sources. That is, we require that the guessing entropy of X (Y) given px 
(jOy) be high. We refer to the state px (S> pr as quantum knowledge, or if px,Py are classical for every x,y, 
as classical knowledge. 

Definition 24. A {ki,k2,£) two-source extractor against quantum knowledge is a function E : {0,1} x 
{0,1} —7- {0,1} such that for any independent sources X,Y and quantum knowledge px (8> py with 
guessing entropies Hg{X -(— px) > fci, Wg(y <— py) > ^2, we have \E{X, Y)pxpy — UmPxPy\^^ ^ £■ 

The extractor is called X-strong if \E{X,Y)pyX — UmpyX\^^^ < e. It is called strong if it is both 
X-strong and Y-strong. 

It was shown that Hg{X -(— px) > Hoo(X) — logdim(jOx) KTOSII . Thus, we can view adversaries 
with bounded quantum storage as a special case of general adversaries. In particular, a {ki — hi,k2 — 
^2, s) extractor against quantum knowledge is trivially a {ki,k2,£) extractor against non-entangled (fci,&2) 
storage. 

One-bit output case: Konig and Terhal IIKT08I show that every classical one-bit output strong seeded 
extractor is also a strong extractor against quantum knowledge with roughly the same parameters. They 
reduce the "quantum security" of the extractor to the "classical security", irrespective of the entropy of the 
seed. Informally, |E(X, Y)pxY — (iijOx^ltr i^ small if the statement is also true when px is classical. We 
give a version of their Lem. 2 with slightly improved parameters. The lemma shows that it suffices to prove 
security of an extractor with respect only to classical knowledge obtained by performing a Pretty Good 
Measurement (PGM) IIHW94I on arbitrary quantum knowledge. For a cq-state Zpz, a PGM is a POVM 
£ = {Szjzez such that fz = p(z)p2^^^|0z|0z^^^. 

Lemma 25. Let Zpz be a cq-state, and f be a Boolean function. Then \ 



\f{Z)pz - Upz\,, < ^l \f{Z)£{pz) - U£{pz)\,„ 

where £ = {£^z},gz i^ ^ Pretty Good Measurement, Ez = p{z)p^ PzPz • 
Proof. We need the following lemma. 

Lemma 26 ([Ren05, Lemma 5.1.3]). Let S be a Hermitian operator and let a be a nonnegative operator 
Then \S\,^< \yjTr{a)Tr{a-^'^Sa-^'^S). 

Denote p = pz, Pb = I^z:f{z)=bP{'^)Pz for b = 0,1. Further define (informally) a POVM M for 
guessing / from pz by first applying S to get z and then computing /(z). Then 

Fr[M{pz) = /(Z)] = X:p(z) E Tr{£,'P^) 

z z':/(z')=/(z) 

= Tr{ X: p-''Hp{^')P.')p-''Hp{^)Pz)) 

/(z')=/(z) 

= Tr{p-'/^pop-'^'po + p-'^W-'''pil 



^^£{pz) is a classical probability distribution and the trace distance \f{Z)£{pz) — (if dozjltj- reduces to the classical variational 
distance. 
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and similarly Pv[M{pz) 7^ /(Z)] = Tr{p-^/^pop-'^^^pi + p-'^^^pip-^^^po). Hence 

\Fr[M{pz)=f{Z)]-Fr[M{pz)^f{Z)]\=Tr{p-'/\po-p^)p-'/Hpo-pi)). (7) 

By Eq. ©, \f{Z)pz - Upzltr = \Po - Pi ltr' and by Lem.Hl setting S = po - pi, cr = p, 



\P^-pAr<2^^r{p-y^{po-pi)p-^f\p,-pi)). (8) 



Combining Eq. ^ with Eq. ^ gives 



|/(Z)pz - LJpzltr < V^ |Pr[M(pz) = /(Z)] - Pr[M(pz) ^ /(Z)]|. 

Finally, 

|Pr[M(pz) = /(Z)] - Pr[M(pz) 7^ /(Z)]| < 2 |/(Z)M(pz) - lJM(pz)ltr < 2 |/(Z)£:(pz) - LJ^(pz)lt,, 

as the left hand side describes a trivial strategy to guess / from M(p), giving the desired result. D 

Corollary 27. IfE is a classical one-bit output {ki, k2, e) two-source extractor, then it is a {ki + log e^^, k2 + 
loge^ , v3£/2) two-source extractor against quantum knowledge. 



Proof. ByLem.ES \E{X,Y)pxPY - Upxpr^r < V 2 I^(^'^)^(PxPy) " Ji^(pxpy)|tr A direct cal- 
culation shows that for every x,y, £{px ® Py) = £i{Px) ® £i{py), where £^i,£^2 are Pretty Good Mea- 
surements on states XpxiYpr respectively. In other words, £{px ® pr) induces a classical distribution 

Cx (8) Cy. Thus 



\E{X,Y)pxPy - Upxprl, < ^ ^ \E{X,Y)CxCy - UCxCy\,^, (9) 

where Hg{X <— Cx) > ^g{^ "^ Px). and the same for Y. 

By the definition of (classical) guessing entropy, one can easily show that a classical {ki,k2,s) two- 
source extractor is a {ki + loge^^,k2 + log£^^,3£) extractor against classical knowledge (for details see 
Proposition 1 in IIKT081 ). Ineq. Q then gives the desired parameters against quantum knowledge. D 

By a similar argument and following the proof of Theorem 1 in [ KTOSj . we get 

Corollary 28. IfE is a classical one-bit output {ki, k2, e) X-strong extractor, then it is a [ki, ^2 + log e^^, i/i) 
X-strong extractor against quantum knowledge. 

The multi-bit output case: We now show how to apply the results in the one-bit case, together with our 
XOR-Lemma [TOl to show security in the multi-bit case, proving Thm.Hl 

By Ineq. ^ in the proof of Cor. [I4j inner product is a classical X-strong extractor with error £ < 
2-(^i+'f2-fJ+2)/2 Plugging this into Cor.|28]we obtain 

Corollary 29. The function Eip^{x,y) = Ax ■ y, for any full rank matrix A, is a {ki,k2,s.) X-strong 
(Y-strong) extractor against quantum knowledge provided that ki-\-k2>n — 2-\-6 log e^ . 

We now repeat the steps performed in Sec.|4]in the setting of non-entangled guessing entropy adversaries 
to obtain a multi-bit extractor against quantum knowledge. In exactly the same fashion as in the proof of 
Lem.[T9]we use the XOR-Lemma [TOl to reduce the security of £d to the strong one-bit case of Cor. [ 
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Lemma 30. Eu is a (ki,k2,£) X-strong (Y-strong) extractor against quantum knowledge provided that 
ki + k2>6m + n-2 + 61og£"l 

Proof. By theXOR-Lemma[lO]andCor. 



|E(X,y)pyX - U,nPYX\,^ < , p ^ \{AsX ■ Y)pyX - U^pyX\l < 2'" ■ 2-('^i+^2-n+2)/6_ 



D 



To obtain our final result, we now compose our strong extractor with a seeded extractor against quantum 
knowledge. 

Lemma 31. Let Eg : {0,1} x {0,1} — > {0,1} be a {ki,k2,£) X-strong extractor against quantum 
knowledge and let £$ '■ {0, 1} x {0, 1} — ?► {0, 1} be a {ki, e) seeded extractor against quantum knowl- 
edga^^l Then E(x,y) = £s(x, Eb(x, y)) is a (fci,/c2,2£) extractor against quantum knowledge. 

Proof. Immediate from the extractor definitions and the triangle inequality. D 

Corollary 32 ( ||DPVR09[ Corrolary 5.3]). There exists an explicit {k,e) seeded extractor against quantum 
knowledge with seed length d = 0{\o^{n/e)) and m = d-\-k — Slog A: — 81og£^^ — 0(1). 

Proof of Theorem |H Eo is an X-strong extractor against quantum knowledge with ^{ki + k2 — n — 
61oge"^) - 0(1) output bits. This is larger than 0(log'^(n/e)) when ki + k2 > n + Q(log'^(n/£)). 
Composing with the seeded extractor of Cor.[32]on the source X gives m = -^{ki -\- k2 — n — 61og£^^) + 
ki — 81ogA:i — 81og£^^ — 0(1), and similarly for Y. D 
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A Many Bit Extractors Against Quantum Storage from Classical Storage 



Konig and Terhal fKT081 prove that any (classical) seeded extractor is secure against non-entangled quan- 
tum storage, albeit with exponentially larger (in the storage size) error. Their proof is also valid for X-strong 
(Y-strong) two-source extractors. 

Their Lemma 5 essentially shows that every {ki,k2,£) X-strong extractor has error 4 ■ 2^^^ ■ e against 
(bi, ^2) quantum storage (for any bi), assuming Hoo(X) > ki and Hg{Y ^ py) > ^2 + loge^^. Recall 
that Hg{Y <— Py) > Hoo(Y) — fc2- Adapted to our definitions, their result is 
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Lemma 33 ( IIKT081 Lemma 5]). Let E be a (ki,k2,£) X-strong extractor. Then E is a {ki,k2 + &2 + 
loge^ ,4 ■ 2 ^e) X-strong extractor against {pi, ^2) non-entangled storage. 

In particular, this shows that E^ is an X-strong extractor with m = /ci + ^2 — 10^2 — « — 4 — 3 log e^^. 
For comparison, our Lem. [19] gives m = j{ki -\- k2 — h2 — n -\- 2 — 21oge^^), which is better when the 
storage is large, say, &2 > ^2/19. 

For completeness, we derive an alternate version of Thm.|2]based on Lem.[33l by composing the extrac- 
tor above with the seeded extractor of IIDPVR09i . 

Theorem 34. The DEOR-construction is a {ki, k2, e) extractor against {bi, ^2) non-entangled storage with 
m = (1 — 0(1)) max(A;i — 9^2/^2 — 9bi) -\- ki — bi + k2 — b2 — n — 11 log e^^ — 0(1) output bits pro- 
vided k^ -\-k2- 10max(&i,&2) > n + n(log'^(n/e)). 

Here too we are able to extract more bits than guaranteed by Thm.[2]when the storage is symmetric and 
constitutes a small fraction (< 1/19) of the min-entropy. In particular, the storage must be at least ten times 
smaller than the min-entropy, whereas no such restriction exist in Thm. |2l 

We note that it is not immediately possible to obtain an analogue of Lem. [33] for weak two-source 
extractors. The proof relates the security of an extractor with respect to quantum side information, to its 
security with respect to classical side information. In the weak extractor setting, it thus suffices to consider 
classical side information of the form T{px ® Pr) for some specific POVM T given in the proof. The 
problem with this approach is that generally J^{px ^ Py) might induce a random variable Cxy correlated 
with both X and Y, breaking the independence assumption (i.e., when conditioning on values of Cxy, X 
and y might not be independent) and rendering the classical extractor insecure. It is not inconceivable that 
J-" does have the property J^ipx ® Py) = Cx ® Cy, but we leave this open. 
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